One question that I have often been asked during my compliance career, and that comes up quite regularly in workshops is “what exactly is the difference between compliance and audit?”
The Basel Committee on Banking Supervision state quite clearly in their influential ‘Compliance and the Compliance Function in Banks’ that they believe that “the compliance function should be independent”, indeed this is one of their six principles for the compliance function. Whilst I can see the argument for this from a purely theoretical point of view, I believe that in the real world a compliance function that attempted to maintain complete independence from the business (of which we should remember it is a part) would fail to be as effective as it could be. I believe this because the function would not develop the relationships essential for managing the firm’s compliance risk effectively. An effective compliance function needs to be seen as a business enabler, not a business preventer, and so must demonstrate that it understands the commercial pressures on a business and is solution focused in achieving the firm’s objectives, albeit in a fully compliant manner.
The audit function on the other hand must be as independent as an internal function can be. This independence is possible due to the fundamental difference between audit and compliance. Audit has a much simpler remit than compliance that distils down to “are we doing want we said we would do?” This is a vital monitoring role, and identifies risk within the business where policy, process or procedure is not being implemented or followed correctly.
However this process does not address the question “if we do what we say we are going to do will we be complying with the regulation?” Therefore a clean audit does not guarantee regulatory compliance. That the policy, process or procedure ensure regulatory compliance (if followed) is the compliance function's responsibility. Whilst monitoring compliance is undoubtedly one of the compliance function's roles, in my view it comes behind education/training and advisory responsibilities. Indeed I would always try to influence the annual audit plan to cover aspects of the compliance monitoring that was required. At the end of the day, as long as the monitoring is done effectively it does not really matter who does it.
These broader responsibilities of compliance also demonstrate that to be effective the compliance function must be both forward and outward looking. Audit is much more concerned with the ‘here and now’ activities of the firm. You cannot ensure that processes will be compliant over a period of time if you do not look out for changes. So the compliance function must carry out some kind of ‘horizon scanning’ activity to look externally of the firm, and into the future, so that potential change is identified as early as possible. In this way it can help the business adapt to that change as smoothly (and in the most cost effective way) as possible.
So to summarise, compliance is an operational function of the firm. It is there to manage compliance risk and protect the business, but in a pragmatic and risk-based way. Audit is a much more focused business assurance function.
Watch out for my next blog, ‘What is the difference between compliance and risk?'
If you're interested in an ICA qualification in governance, risk and compliance more information can be found on our ICA certificates and diplomas page. Alternatively, please call +44(0)121 362 7506 and we’ll happily talk you through your study options